-
1. Re: Wildfly SSLContext in domain mode
dlofthouse Nov 4, 2019 4:43 AM (in response to bshorty)For this capability you will need to be defining an SSLContext within the Elytron subsystem, this in turn depends on key and trust managers and key stores as required to assemble a full configuration.
One thing to be aware of now is that the Elytron subsystem lives in two locations: -
- The host.xml
- Within profiles in the domain.xml
For other resources defined in the host.xml you should define the SSLContext within the subsystem definition also in the host.xml.
e.g For Management interfaces.
For resources defined in a domain.xml profile you should define the SSLContext within the subsystem definition within that profile.
e.g. For Undertow HTTPS listener
-
2. Re: Wildfly SSLContext in domain mode
bshorty Nov 6, 2019 7:14 PM (in response to dlofthouse)Hey Darran,
thank you very much for the response. Given the previous requirement that you had to define the security-realm on the host side, but the https-listener on the domain side when doing this for domain mode, I had automatically done down that same road.
Having defined the SSLContext, key-store, and key-manager in the elytron subsystem in the host configuration, when attempting to set the SSLContext for the https-listener on the domain profile side I got an error about the capability to do this not being present which threw me - I was expecting an error about not finding the context if anything. It seemed to indicate it simply wasn't possible, rather than it being a case of needing dependant components defined first.
Having now realised they elytron subsystem exists both on the host and in the profile as you say, and adjusted my understanding I have worked out where I was going wrong. I was actually wanting to add the SSLContext to an https-listener in the load-balancer profile, which by default does not have the elytron subsystem at all. I have now worked out that if I add the elytron subsystem to the load-balancer profile, add the key-store to that, and then set the SSLContext on the listener everything works!
So the main confusion was I needed to do this before I started anything else:
/profile=load-balancer/subsystem=elytron:add(disallowed-providers=[OracleUcrypto])
/profile=load-balancer/subsystem=elytron/provider-loader=elytron:add(module=org.wildfly.security.elytron)
/profile=load-balancer/subsystem=elytron:write-attribute(name=final-providers,value=elytron)
/profile=load-balancer/subsystem=elytron/file-audit-log=local-audit:add(path=audit.log,relative-to=jboss.server.log.dir,format=JSON)
/profile=load-balancer/subsystem=elytron/provider-http-server-mechanism-factory=global:add(providers=elytron)Is there something in the documentation that points this out as I didn't see it, definitely something worth considering highlighting if not as feels like a case of 'obvious when you know'
Cheers for the help!